Run the system policy editor windows windows computer
� Professional
� Server
I Deploy service packs.
I Install applications by using Windows Installer packages. I Implement, configure, manage, and troubleshoot local
in a Windows 2000 environment.
I Implement, configure, manage, and troubleshoot Local
CHAPTER
10
|
Continued � | |
|---|---|---|
|
||
|
||
|
||
|
||
I Maintain software by using Group Policy.
I Configure deployment options.
Using System Policy and Group Policy
10
| 657 |
|---|
Chapter Pre-Test
5. Fill in the blanks: Group Policy consists of two components: an Active Directory object, called a ________ ________ ________ , and a series of files and folders that are automatically created when the Active Directory object is created.
Managing System Policy
System Policy is a collection of Administrator-created user, group, and com-puter system policies that enable an administrator to manage non-Windows 2000 client computers (and their users) on a Windows 2000 network. For example, you can use System Policy to restrict the user’s ability to perform certain tasks or to enforce mandatory display settings, such as wallpaper and color scheme.You can also use System Policy to configure computer settings, such as a custom logon banner that is displayed each time a user logs on to a particular computer.
In addition to enabling the administrator to limit the changes users can make to their work environments, System Policy can be used as a security measure to limit access to parts of the network, to restrict the use of spe-cific tools such as the Registry Editor, and to remove the Run command option from the Start menu.
The following sections explain the components that can be included in System Policy, including user system policy, group system policy, and com-puter system policy.
There are a variety of settings that you can configure in a user system policy. Figure 10-1 shows all of the configurable options for a Windows NT individual user policy.The same list of configurable options is available for the Default User policy.
The actual process of configuring the check boxes in this list is covered in the “Creating a System Policy File” section later in this chapter.
FIGURE 10-1 Configurable settings in a Windows NT 4.0 user system policy
A user may belong to multiple groups that each have a group system policy.When this is the case, the policies are applied in a specific order. For example, suppose that a user of a Windows NT 4.0 client computer, JohnS, belongs to three groups: Domain Admins, Managers, and Sales, and that each of these three groups has a group system policy.The groups are listed in this order, from the top down, in the Group Priority dialog box in System Policy Editor.Also suppose that JohnS does not have an individual user policy.When JohnS logs on to the domain, the group system policy for the Sales group (which has the lowest group priority because it is at the bottom of the list) is applied first. Then the group system policy for the Managers group is applied.Finally,the group system policy for the Domain Admins group (which has the highest group priority because it is at the top of the list) is applied to JohnS.As each group system policy is applied, it overwrites any conflicting settings from previously applied group poli-cies.The last group system policy applied (in this case, the Domain Admins group system policy) takes precedence over the lower priority group sys-tem policies.
An Administrator can configure group system policy priority by moving a group up or down in the Group Priority dialog box.The group at the top of the box has the highest priority.
Chapter 10 M Using System Policy and Group Policy 663
An individual computer policy applies to a single, specific client computer. Normally, an individual computer policy is created only when a client computer requires a unique policy that differs from the Default Computer policy.
664 Part III M Managing and Securing Resources
System Policy is applied in the following sequence:
1. If a user has an individual user policy, it is applied.
4. If the non-Windows 2000 client computer the user logs on to has an individual computer policy, it is applied.
I The Default User policy only
I A combination of the Default User policy and a group system policy (or policies, if the user is a member of multiple groups that each have a group system policy)
666 Part III M Managing and Securing Resources
STEP BY STEP
4. Two icons are displayed: Default Computer and Default User.
Customize the Default Computer and Default User policies as appropriate. To customize a policy, double-click the policy’s icon. Then, in the policy’s Properties dialog box, click the + next to the options you want to expand and configure. Then configure the check box next to each option you want to configure. Each check box has three possible configurations:
To create a new policy, select the appropriate option from the Edit menu (either Add User, Add Computer, or Add Group). Then, in the Add User, Add Computer, or Add Group dialog box, type the name of the user, computer, or group for which you want to create a policy. Click OK.
Then customize your new policy (or policies) by using the instructions in Step 4.
2. Save the System Policy file as Config.pol instead of Ntconfig.pol.
This is not a recommended practice, because using System Policy Editor permanently changes the registry on a computer — if you decide you want to revert to default settings at a later date, you’ll have to manually change each and every setting that you previously changed.
I recommend that you use Group Policy (or Local Group Policy) to configure settings on a Windows 2000 computer instead of using the System Policy Editor, because registry changes made by Group Policy are easily reversible.
668 Part III M Managing and Securing Resources
Managing Group Policy
Group Policy is a brand new Windows 2000 feature. Group Policy is a pol-icy that contains rules and settings that are applied to Windows 2000 com-puters, their users, or both, that are located in a specific part of Active Directory. I like to think of Group Policy as System Policy on steroids —it’s much bigger, meaner, and more powerful than System Policy.
Chapter 10 M Using System Policy and Group Policy 669
By using Group Policy, an Administrator can specify and manage a number of user and computer settings, including:
I Settings that manage software deployment:You can specify an application that will be automatically installed on a computer when the computer starts, or automatically installed when a user opens a file with an extension associated with that application.You can manage the deployment of multiple applications by using Group Policy.
Group Policy is typically implemented in Active Directory. However, Group Policy can be implemented directly on the local computer.When implemented on the local computer, Group Policy is called Local Group Policy.
a domain, or an organizational unit (OU). Group Policy applies to com-puters, users, or both, that are contained within the site, domain, or OU with which the GPO is associated. An Active Directory container may have more than one GPO associated with it.
How Group Policy Is Applied
3. When a user logs on, the user’s profile is loaded, then all Group Policy settings that apply to the user are applied.
4. If the Group Policy settings that apply to the user specify that a logon script (or scripts) be run, this script is run.Then, if a user has an indi-vidual logon script assigned to his or her user account, this logon script is run.
Inheritance and Group Policy
Another factor that affects how Group Policy is applied is inheritance.An Active Directory object, such as a user or a computer, normally inherits Group Policy from the container in which the object resides and from the parent containers above it in the Active Directory tree. Group Policy is applied from the top of the tree down. This means that the normal sequence of Group Policy application is first site, then domain, then OU. The key point is that when Group Policy settings conflict, the Group Policy that is applied last is the policy that takes precedence. Because the last Group Policy that is normally applied is the Group Policy associated with the OU that a computer or user is contained in, the Group Policy of the OU normally takes precedence when settings conflict. Here are a cou-ple of examples that explain how inheritance affects the application of Group Policy.
672 Part III M Managing and Securing Resources
Periodic Updates of Group Policy
Local Group Policy is configured on an individual Windows 2000 com-puter by using the Group Policy snap-in to the Microsoft Management Console (MMC).You must be a member of the Administrators group on the local computer to manage Local Group Policy.
As you may recall, Local Group Policy is applied first, so if its settings conflict with Group Policy settings, the conflicting Group Policy settings take precedence, because they are applied last.
3. The Group Policy snap-in to the MMC is displayed, as shown in Figure 10-3. Notice the separate Computer Configuration and User Configuration sections.
Settings in the Computer Configuration section apply to the local computer. Settings in the User Configuration section apply to all users who log on to the local computer.
| STEP BY STEP | Chapter 10 M Using System Policy and Group Policy | 673 |
|---|---|---|
| Continued |
For more information on the many settings you can configure, see the sections later in this chapter titled “Configuring Group Policy Settings to Manage User Environments,” “Configuring Group Policy Settings to Manage Scripts,” “Configuring Group Policy Settings to Manage Security,” “Configuring Group Policy Settings to Redirect Folders,” and“Configuring Group Policy Settings to Manage Software Deployment.”
4. When you’re finished configuring Local Group Policy, close the Group Policy dialog box.
